Google Compute Engine vm Debian 9 port 25 outgoing email issue

So I decided to give Google Cloud a try and setup a Perfect Server Debian 9. Have done it plenty of times before on my own servers and vm's...the only problem is that google blocks port 25 outgoing. They allow 587 and 465 though....but I can't seem to get it to work with emails leaving the server. Incoming email is fine.
postfix master.cf has submission uncommented.
roundcube, I've edited config.inc.php so it looks at port 587 with tls://%n and user credentials. roundcube shows the email going without error.
I check mail.log and I see the email passing into amavis, BUT then I see it trying to leave google on port 25 again...could it be that amavis is reinjecting the email into postfix on port 25? If so, how do I change that? If not....what am I missing.

Mail servers communicate between each other on port 25. Google blocks port 25 outgoing which means you can't use Google compute engine to host a mail server, or at least you need a second mail server which is not hosted at Google to act as a relay. It's the same with amazon. Better use a different hosting company when you want to run a mail server.

The article explains what I mentioned as an option in my post, if you want to use google cloud then you need a second mail server outside of compute engine as email relay as they do not allow you to send emails on port 25 which is required for a mail server. You can configure such a relay server in ISPConfig under System > server config > mail. But this renders the whole thing quite useless in my opinion, there are many good cloud hosters available that allow you to run a mail server, so why use one which does not allow it.

Just as a clarification, the alternate ports they mentioned can just be used to connect to an external relay server. They are not a replacement for port 25, so your server will not be able to send out emails on its own when its in compute engine.

Instead of their direct settings, I used ISPC for relayhost: [smtp.mailgun.org]:2525
Of course, this made the same changes they recommend with one exception that I manually changed in main.cf:
smtp_tls_security_level = encrypt

I'm trying to send via roundcube and made the following changes per various threads here:
default_host=tls://%n
smtp_server=tls://%n
smtp_port=587
smtp_auth_type=PLAIN
smtp_user=%u
smtp_pass=%p
(sorry the above isn't formatted).

When I send I get the following:
Jul 25 00:55:15 ns1 postfix/smtp[20593]: c80c360bef: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.08, delays=0.06/0.01/0.01/0, dns=4.7.4, status=deferred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])

Seems like it's upset that amavis isn't accepting/giving tls....but I don't understand exactly why I needed for force tls from roundcube anyway. Whatever it is...it's not sending and that's the error.

Please undo the smtp_tls_security_level change you made as this switches internal connections to amavis to tls which does not work. You may do this for a special transport in master.cf by using an -o parameter line but not globally.

update: I was able to login to roundcube by changing the config:
default_host = localhost
smtp_server = tls://%n

Now when I email, it's an instant bounceback:
host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=01263-09
- Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10027):
530 5.7.0 Must issue a STARTTLS command first (in reply to end of DATA
command)

Seems as if you still configured your system to require tls for internal connections. Please undo these changes to get the working setup back. Connections on localhost between postfix and amavis shall not be over TLS and the system will fail if you force tls on localhost as you can see.

The error means that you are still enforcing tls, either in master.cf or main.cf r you did not restart postfix after you did config changes. I've attached the postfix config files or a working setup so that you can compare yours with known good ones to fix your setup. Had to rename the files to .txt for the upload.